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Abstract. We analyse the complexity of solving the discrete logarithm 
problem and of testing the principality of ideals in a certain class of num- 
ber fields. We achieve the subexponential complexity in 0(L(l/3, O(l))) 
when both the discriminant and the degree of the extension tend to infin- 
ity by using techniques due to Enge, Gaudry and Thome in the context 
of algebraic curves over finite fields. 



1 Introduction 

Quadratic number fields were proposed as a setting for public-key cryptosystems 
in the late 1980s by Buchmann and Williams [5,6]. Those cryptosystems were 
generalized to number fields of arbitrary dimension about a decade later [2,4, 
15]. Their security relies on the hardness of the discrete logarithm problem and 
the principality testing problem. The complexity of the algorithms for solving 
these problem on a number field K, of discriminant A is bounded by L(l/2, O(l)), 
where the subexponential function is defined as 

L(a,p) = e /3i°g2|4riog 2 iog 2 |/i| 1 -«_ 

This complexity is asymptotically slower than the one for factoring which re- 
duces to the problem of computing the class number, and although the discrete 
logarithm problem in the Jacobian of elliptic curves remains exponential, there 
is no known reduction between this problem and the discrete logarithm prob- 
lems in number fields either. Therefore, studying the hardness of the discrete 
logarithm problem and of the principality testing problem on number fields is 
of cryptographic interrest since they provide alternative cryptosystems whose 
security is unrelated to those currently being used. 

In this paper, we exhibit the first infinite class of number fields for which these 
problems can be solved in expected time bounded by L(l/3,0(1)). We follow 
the approach of Biasse [1] who described a class of number fields on which class 
group and regulator computation can be done in expected time L(l/3, O(l)), 
and the one of Enge, Gaudry and Thome [10, 11] who described and algorithm 
for solving the discrete logarithm problem in complexity L(l/3, O(l)) in certain 
algebraic curves. 



2 Number fields 



Let K. be a number field of degree n, 9 e JC, and T[X] = J2i< n € 7L\X\ such 
that 



We denote by Ok its maximal order and by CI(Ok) the ideal class group of its 
maximal order. The ideal class group of an order is a finite group of cardinality 
denoted by /i(Ok) which is unknown to both parties in number field cryptosys- 
tems. Solving the discrete logarithm problem with respect to a and b € C7(Ok) 
consists of finding x e Z such that 



The principality testing problem with respect to an ideal / of Ok consists of 
deciding if there exists a € Ok such that 



and if so, computing a. Direct computation of a in subexponential time is im- 
possible because of the size of its coefficients, thus obliging us to give a com- 



In number fields of fixed degree (typically when the dimension is 2), these prob- 
lems can be solved in subexponential time. The strategy described in [3] consists 
of defining a factor base B containing the primes of norm bounded by an inte- 
ger B and reduce random power-products p^ 1 . . . p e g a of elements pi e B untill 
an equivalent £>-smooth ideal is found. Whenever this occurs, we can derive a 
row of the so-called relation matrix which after a suitable linear transformation 
yields the structure of C7(Ok), and enables us to solve instances of the discrete 
logarithm problem and principal ideal problem. If the degree is no longer as- 
sumed to be fixed, then every reduction step is exponential in the degree of K 
since it uses the LLL algorithm [13]. 

3 Main idea 

Let d := max^ {\og 2 (ti)}, we require that 



K = Q[X]/T(X) = <Q>(0). 



b = a x . 



I=(a) 




n = n log 2 (|Z\|) tt (l + O (l)) 
d = d \og 2 (\A\) 1 - a (l + o(l)) 



(1) 
(2) 



for some a € [§ 7 1[, and some constants no and do. We define k := norfo- We 
also denote by s the number of real places, by t the number of complex places 
and we define r := t + s — 1. We also require that Z[0] = Ok- 



Example Let A £ Z, and JC n ,K be an extension of Q defined by a polynomial 
of the form: 

T{X) =X n -K, 

with 

log if = [log 2 fl^l) 1 " 
n=Llog 2 (|Zi|n, 

for some a € [3, | [. Then, Oic n K has discriminant satisfying: 

log 2 (Disc(0 K „, K )) - logKif"- 1 ) = log 2 (|Z\|)(l +o(l)). 

If in addition we require that n and K be the largest prime numbers below their 
respective bounds such that: 

n 2 \K n ~ 1 - 1, 

then we meet the last restriction 7L\Q\ = 0/c n K (for a proof, see [9], Chapter 6 §1). 

In [1], it is shown that the computation of the group structure of C7(0k) 
and of the regulator of Ok with a number of bits of precision in L(l/3, 0(1)) 
could be achieved in expected time L(l/3, 0(1)) under some assumption that 
we will specify in the following. The main idea is to use sieving based technique 
to create relations of the form 

where <j> € Ok and the pi are non inert prime ideals of norm bounded by a 
certain integer B; we denote this set by B. Every time such a relation is found, 
the vector 

(ei,...,e„,log|0|i,...,log|0| r ) 
is added as a row of the relation matrix M, which has the following shape 



Mb 



Then, provided the rows of M generate the whole lattice of relations, the Smith 
normal form of M% yields the group structure of CI(Ok) whereas its kernel yields 
R. 

Now, given two ideals a and b such that 3x € Z b = a x , computing their discrete 
logarithm can be done by decomposing them over B, 



and performing a linear algebra phase consisting of solving one linear system. 
Likewise, if we need to test the principality of an ideal I and compute a such 
that I = (a), then it sufBcics to find b := [ei, . . . , e„] such that 

I = P?...p e n ". 

I is principal if and only if b belongs to the lattice of relations. We thus solve 
XMj, — b and derive a from the coefficients of X and the generators 4>i of the 
relations of M. We thus see here that solving the discrete logarithm problem 
and testing the principality rely on our ability to decompose an arbitrary ideal 
into a power product of elements of B. 

To do this, we follow the approach of Enge, Gaudry and Thome for algebraic 
curves [10,11] involving a Q-descent strategy. Given an ideal /, it consists of 
decomposing it as a power product of prime ideals (not necessarily in B), and 
then decomposing those primes as power products of primes of a lower norm 
untill we only have prime ideals of norm bouned by B. 



4 Relation matrix 



Let p be a constant to be determined later, and B a smoothness bound satisfying: 

B=\L(l/3,p)]. 

We define the factor base B as the set of all non inert prime ideals of norm 
bounded by B. This factor base has cardinality: 

N:= \B\=L(l/3,p + o(l)). 

The sieving phase consists of enumerating (f> <G Ok of the form 

4> = A{6), 

with A[X] E T\X\ of degree k whose coefficients a, have their logarithm bounded 
by an integer a such that there exist two constants S and v to be determined 
later satisfying: 



a < 



k < 



■ Klog 2 |^|/n 

(log 2 \A\/My/ 3 

n 

' {\og 2 \ A\/M)^ 



(3) 
(4) 



with Ai := log 2 log 2 \ A\. Landau-Mignotte's theorem [16] states that if D | T 
with dcgD = to, then the coefficients dj of D satisfy |dj| < 2 m ~ 1 (|T| + t n ), 
where |T| is the euclidian norm of the vector of the coefficients of T. Applying 
this to D = X — <7j (6) and to = 1 allows us to obtain: 



lo g (|tf|0 < log(|T| + e OQog (izil) 1 -"), 



for i < r. From <j> = A(9), and a and k respectively bounded by (3) and (4), we 
have 

log KOQagQA^M 1 ' 3 ). 

We can thus derive a bound on the maximum value \M%\ of the norm a 
coefficient of M%. 

Proposition 1. \M%\ satisfies: 

\M z \=0((\og 2 \A\) 2/3 (log 2 log 2 |^|) 1/3 ). 

During the relation collection phase, we collect N + Kr relations, where K 
is a constant. We rely on the following heuristic to make sure that we generate 
the full lattice of relations. 

Heuristic 1 The N + Kr relations collected this way generate the full lattice of 
relations. 

5 Smoothness 

We need to evaluate the smoothness of ideals with respect to B. Let Vz^m) 
be the set of ideals / such that N(I) < i which are smooth with respect to 
the set of primes p satisfying Af(p) < \x and i\)(x,y) be the set of integers of 
logarithm bounded by x smooth with respect to primes of logarithm bouded by 
y. ip was first described in [7] by Canfield, Erdos Pomerance. We need to make 
the following assumption on the smoothness of ideals. 

Heuristic 2 We assume that 

> exp (-„ (log, „ + log 2 log 2 u-l + O (^p) ) ) , (5) 

for u = i/fj,. In addition, assume thatN{4>) behaves like a random number whose 
logarithm satisfies 

\og 2 {N{4>)) < i := K log 2 (|Zi|) 2/3 M 1/3 (S + v + o(l)), 
and whose distribution is given by 

> e x „ (_ (log, . + log 2 lo 62 . - 1 + O (i?!gp) ) ) . (6) 

The assertion concerning ipx can be proved in the quadratic case[17] but 
remain conjectural for arbitrary n [3]. In the context of curves, Enge, Gaudry 
and Thome used a theorem due to Hess to derive the equivalent of (5) for divisors 
in the jacobian of a curve, but had to use a similar heuristic for (6). Using [7], 
and carrying out the same computation as in the proof of theorem 1 of [10, 11], 
one readily shows the following result on the probability of finding a relation: 



Proposition 2. Let 



t= |k>g 2 L(0,c)J = Lclogad^l)*^ 1 -^ 
/x= riog 2 i(/3,d)l = rdlogad^l^M 1 -^, 

then we have 

^>I^-/3,^-/3) + o(l) 

Proposition 2 allows us to bound the expected time for finding a Z?-smooth 
ideal. In §6, we show how to decompose prime ideals of the form p<Dk+ (0 — v p )Ok 
over a set of prime ideals of the same form with a smaller norm. In the general 
case, prime ideals can have a ramification index / > 2 and thus be of the 
form p0K + T p (6)Ok where deg(T p ) = /. However, it can be shown that the 
ramified primes have Dirichlet density 0, allowing us to consider that Z?-smooth 
decomposition with unramified primes occur with the same probability as in 
Proposition 2. A proof of this result can be found in Chapter IV, Proposition 
4.5 of [12] for example. 

Proposition 2 with parameters f3 = ^, d = p, </> = | and c = k(S + v + 
o(l)) shows that the expected number of trials to obtain a relation is at most 

L ^1/3, + o(l)^ . Since the factor base has size N e O (£(1/3, p)), the com- 

plexity of the relation collection phase with respect to the parameters p, v, k, S 
is in 

L(l/3,^ + p + (l) 

These parameters are chosen to ensure that the overall time be optimal. The 
linear algebra phase is polynomial in the dimension of M wich is given by 
L(l/3, p + o(l)). We need to compute the regulator, which can be done in ex- 
pected time L(l/3,3/9+ o(l)) provided the bit precision is also bounded by 
1/(1/3, 3p + o(l)) (sec [1]). It is shown in [14] that linear systems of the form 
XMz can be solved in time 

0(7V 3 (log 2 n + log 2 |M z |) 2 ), 

where \Mx\ is the largest absolute value of a coefficient of M%. The computation 
of a discrete logarithm in Cl(0^) with Vollmer's method [18] is done by solving 
a system of the form XM% where M' % is Mi augmented with two extra rows 
whose coefficients are proved to be bounded by e°' log2 \ A \ 1,? ' M2/i ) i n §7. The 
linear algebra phase thus has a complexity bounded by L(l/3,3p + o(l)). We 
emphasize here that we do not need to compute the group structure of CI(Ok), 
thus avoiding the computation of the Hermite Normale Form of M%. We can 
prove that the optimal strategy is to spend the same amount of time for the 



relation collection and for the linear algebra. Therefore, the parameters must 
satisfy 

Kvb = 3/9. (7) 

In addition, the number of <f> in the search space is in O (L(l/3), v5k). We thus 
have the additional constraint on the parameters 

v8k = — + p, (8) 

ip 

ensuring that the search space is large enough to yield the N + Kr relations. 
From (7) and (8), we obtain 

K 

. 6p 2 
u + 5= —. 

K 

Thus, S and v are roots of the polynomial 

K K 

These roots exist provided we have 

The optimal choice is to minimize p, thus fixing the parameters S and v. 

5 = u= f^- 

V K 

The total running time becomes L(l/3,c+o(l)), with 

c = 3/9 = \^9k. 



6 Decomposition over B 

Assuming Heuristics 1 and 2, we can study the complexity of the Q-descent. In 
what follows, we show how to decompose an ideal as a power product of elements 
of B starting with a lemma allowing us to find integers ai, . . . , at+i minimizing 
J2i a i v i f° r some v i- 

Lemma 1. Let vi,..., Vk+i be integers satisfying log \n\ < D for some integers 
D and k defined by 



k := 



(Iog 2 |2\|/M)V3-r/2 



#:=log 2 (L(l/3 + r,c)), 



where <j,t 7 c > 0. Then for any integer z, there exist at least 2 kz (k + \)-tuples 
(a!,.. .,a k+1 ) satisfying 



log 2 \oti\ < D/k + z 



log 2 



^2 am 



< D/k + z. 



Proof. Let us define the k + 1 dimensional lattice A generated by the rows of 

(\ ... V! \ 

A := 



1 •• : 



'•• '•• : 
\0... lv k+1 J 



For any element x £ A, there exist (a\, . . . , a k +i) £ Z fe+1 such that 

ar = (ai, . . . , a fe+ i, ^ a^j). 



The determinant d(A) of /l satisfies 



d(A) = Jdet (AA T ) = v i+ E < (V2fc+T) 2 D . 

Y i<*;+i i</c+i 

Let X C M fc+2 be the symmetric and convex set of points defined by 

X = {(x-l, . . .,x k+2 ) I Vi < D/fe + z} . 

The volume equals 2 k+2 e^ k+2 ^ D / k+z \ and from Theorem II of III.2.2 in 

[8] we know that if 

V(X) > m2 k+2 d(A), 

then X intersect A in at least m pairs of points ±x £ R k+2 . It thus suffices to 
prove that 



2 kz < 



2 (fc+2)(f+ 2 



V2fc + le D " ' V2fc + 1 



2 kz . 



which is satisfied since 



£ = C - log 2 |4| V3-a+r/2 l og2 l og2 |^|l/3-r/2 » + 1} 

rC (J 

Using Lemma 1, we can state the analogue of Theorem 8 in [11]. Please note 
here that the proof we give is almost verbatim, the main difference being the use 
of Lemma 1. 



Theorem 1. Assuming Heuristic 2, we can decompose any ideal I of Ok into 
a power product of elements of B in time 



L(l/3,6 + e), 

with b = %J 2|£ and any e > 0. 

Proof. Let I be an ideal of norm bounded by |Z\|. We can assume this without 
loss of generality since any class of CI(Ok) contains an ideal of norm bounded by 
(2/n) s VALet I = uO K + {0-v)O K be an ideal of norm bounded by L(l/3 + r, c) 
for some c > and < r < 2/3. The ideal we start has r = 2/3 and c = 1. 
Indeed, it can be proved that any class of CI(Ok) contains an ideal of norm 
bounded by \A\. We search a L(l/3 + t/2, c')-smooth <j> £ I for a c' depending 
on c. Such a (f> satisfies I \ (<f>) and thus I can be decomposed as a power product 
of the prime ideals involved in the decomposition of ((f)). We repeat this process 
untill we obtain a decomposition only involving elements of B. At each stage, we 
consider <p belonging to the lattice of polynomials of degree bounded by 

' ^ (Iog 2 |2\|/M)V3-r/2_ ' 

where a > is a constant to be determined later. These <j> form a Z-lattice 
generated by 

{v ,6 -v 1 ,...,6 k -v k ), 

with vq — u and Vi — v % mod u for i > 1. We want to spend the same time 
L(l/3, e + o(l)) at each smoothing step for e > to be optimised later. The 
sieving space has to be of the same size. We thus look for L(l/3,e + o(l)) 
distinct (k + l)-tuples {on, . . . , afe+i) G Z k+1 . Using Lemma 1, we prove that 
for every integer z, we can find 2 kz such tuples satisfying log 2 \oti\ < D/k + z 
for i < k + 1 and log 2 ^ D/k + z. We ajust the value of z to make 

sure that all the £(1/3, e + o(l)) obtained during the sieving phase satisfy this 
property by solving 2 fcz = L{l/3, e + o(l)). This yields 

z = -log 2 £(2/3-T/2,e/a + (l)). 
n 

Carrying on the same computation as in [10, 11], we can prove that the norm of 
the (j) we create during the sieving phase satisfies 

N(<P) < L(2/3 + t/2, (c + e)/ip + o(l)). 

From Heuristic 2 and Proposition 2 we expect to find at least one L(l/3+r/2, c')- 
smooth (f> for 

c = — ((c + e)/«r + <tk). 
3e 

This quantity is minimised by <r = ^(c + e)//v which yields 



Starting with t = 2/3 and c = 1, we obtain a power-product of places of norm 
bounded by L(1/3 + ti,Ci) with n = 1/3 and c\ = 2^/k{cq + e)/3e. After i step 
we get an ideal L(l/3+ l/(3.2 i " 1 ), a) = L(l/3,c l M^ 7T )-smooth where 

1 _ 2y/K 

The sequence Ci converves to a finite limit given by 

Coo = X/2 (x + vV + 4e) , 

where x = 2 v / «/3e. Let £ > be an arbitrary constant. Afer a number of steps 
only depending on e, n and £, we have Cj < Coo(l +0) an d after 0(log 2 log 2 |Z\|) 
steps M.3.v->- < (1 +£). We can thus decompose / as a power-product of prime 
ideals of norm bounded by 

1,(1/3, Coo (l +<£)). 

As each node of the tree has arity log 2 \A\, the number of nodes in the tree is 
in L(l/3,o(l)) and the complexity of the algorithm is in L(l/3, e + o(l)). As we 
want to decompose / as a power product of primes of norm bounded by L(l/3, p), 
we compute the effort to reach = p. As in [10, 11], we write Oe 1 / 3 = En for 
E with E to be determined later. The equation p = simplifies as 

The least non negative solution Eq satifies Eq rts 24, which yields 




The time taken to decompose an ideal over B is subexponential with a con- 
stant b + e stricly lower than the one minimizing the time taken by the relation 
collection and the linear algebra (see §5). Therefore, there is no need for a more 
elaborated optimization of the parameters encapsulating the time for decompos- 
ing an ideal over B. 

7 Discrete Logarithm algorithm and principality testing 

We follow the approach of Vollmer in quadratic fields [18] to compute discrete 
logarithms without computing the group structure of CI(Ok)- Given two ideals 
a and b such that there exists an integer x satisfying b = a x , we wish to compute 
x. We enlarge the factor base with a and b and let B' = B U {a, b}. Then we 
use the methods of §6 to decompose a and b over B, thus creating two extra 
relations over B' 

p?...p e N »a = a a , p{ 1 ...p f N N b = a b . (9) 



Jci-x + e. 



Then we construct the extended relation matrix 



M' := 



M z 


(0) 


4 


1 




1 



where v a = (ei, . . . , ejv) and vt = (/l 



, /at). The relation b — a x corresponds 



to the row vector v x := (0, . . . , 1, —x) which is a combination of the rows of 
M% under Heuristic 1. Therefore, there exists X = {x\, . . . ,xn +t -k) such that 
XM% = vt- In particular xn+Kt = —x. We can thus obtain x by solving XA = 
it where 



A :-- 





(0) 




1 




4 






and if = (0, ...,0,1). 



It is shown in [14] that the complexity of this step in in 

0(iV 3 (log 2 n + log 2 |A|) 2 ), 

where \A\ = max \ ciij\. We already know a bound on the norm of the coefficients 
of Mz, but we still have to bound those of vt and v^. 

Lemma 2. The size of the coefficients of a and b is bounded by O (log 2 |Z\| log2 log2 1 4 1) . 

Proof. At each smoothing step, an ideal / of norm satisfying A/"(I) < 0(log 2 |Zi|) 
is smoothed. The largest possible exponent e of this decomposition occurs if 
I = Pi thus yielding 



e < 



mi) 



< ^p- e 0(lo g2 \A\). 



The depth of the tree is bounded by O (log 2 log 2 \A\ \), so the size of the maximal 
coefficient occuring in the decomposition of o and b is bouned by O (log 2 |Z\| log 2 log 2 1^1). 

We know from Proposition 1 that \M Z \ = 0((log 2 |Z\|) 2/3 (log 2 log 2 |Zi|) 1/3 ), 
allowing us to conclude that the overall expected time of the discrete logarithm 
algorithm is bounded by £(1/3, 3p + o(l)) where p = ^f^. 

Proposition 3. Let a and b be ideals such that there exists x e Z satisfying 
b = a x . Under Heuristics 1 and 2, the expected time to compute x is in 

L(l/3,3p+o(l)), 



where p — y^. 



Now let us study how we can decide whether a given arbitrary ideal I is 
principal, and if so compute a such that / = (a). To this end, we first decompose 
I over B using Theorem 1. We thus obtain a vector b e 7L N representing the 
decomposition of I over B. As we assume Heuristic 1 , b belongs to the lattice 
spanned by the rows of Mz if and only if / is principal. Therefore, solving 
XM% = b allows us to decide whether / is principal. Using the same strategy as 
for the analysis of the discrete logarithm problem algorithm, we can prove that 
this step has complexity £(1/3, 3p + o(l)). 

Proposition 4. Under Heuristics 1 and 2, the expected time to decide if I is 
principal and to compute a compact representation if a such that I = (a) is 
bounded by 

L(l/3,3p + o(l)), 

where p — £/T|\ 
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